The team tested its grammar-aware password cracking algorithm against 1,434 passwords containing 16 or more characters, and cracked 10% of the dataset via the algorithm.

“We should not blindly rely on the number of words or characters in a password as a measure of its security,” Rao said, in a statement.

The researchers say that while a password based on a phrase or short sentence can be easier for a user to remember, it also makes it simpler to crack because grammatical rules narrow word choices and structures (in other words, a passphrase with pronoun-verb-adjective-noun would be easier to crack than one made up of noun-verb-adjective).

The researchers found that “Hammered asinine requirements,” for instance, is harder to crack than even the longer and seemingly clever “Th3r3 can only b3 #1!”

Passwords in general have come under increasing fire by security pros, as some of the highest profile breaches (LinkedIn, Nvidia) have been the result of password compromises or resulted in passwords (including encrypted ones) being made public.

Bob Brown is a news editor for Network World, blogs about network research, and works most closely with our staff's wireless/mobile reporters. Follow him on Twitter at Alphadoggs and connect via email at bbrown@nww.com